diff -up rsyslog-8.24.0/plugins/imtcp/imtcp.c.v36tls rsyslog-8.24.0/plugins/imtcp/imtcp.c

--- rsyslog-8.24.0/plugins/imtcp/imtcp.c.v36tls	2019-08-19 17:37:07.872166694 +0100

+++ rsyslog-8.24.0/plugins/imtcp/imtcp.c	2019-08-19 17:37:07.876166693 +0100

@@ -100,6 +100,7 @@ static struct configSettings_s {

 	int bDisableLFDelim;

 	int bUseFlowControl;

 	int bPreserveCase;

+	uchar *gnutlsPriorityString;

 	uchar *pszStrmDrvrAuthMode;

 	uchar *pszInputName;

 	uchar *pszBindRuleset;

@@ -136,6 +137,7 @@ struct modConfData_s {

 	int iKeepAliveProbes;

 	int iKeepAliveTime;

 	sbool bEmitMsgOnClose; /* emit an informational message on close by remote peer */

+	uchar *gnutlsPriorityString;

 	uchar *pszStrmDrvrName; /* stream driver to use */

 	uchar *pszStrmDrvrAuthMode; /* authentication mode to use */

 	struct cnfarray *permittedPeers;

@@ -164,7 +166,8 @@ static struct cnfparamdescr modpdescr[]

 	{ "keepalive.probes", eCmdHdlrPositiveInt, 0 },

 	{ "keepalive.time", eCmdHdlrPositiveInt, 0 },

 	{ "keepalive.interval", eCmdHdlrPositiveInt, 0 },

-	{ "preservecase", eCmdHdlrBinary, 0 }

+	{ "preservecase", eCmdHdlrBinary, 0 },

+	{ "gnutlsprioritystring", eCmdHdlrString, 0 }

 };

 static struct cnfparamblk modpblk =

 	{ CNFPARAMBLK_VERSION,

@@ -354,6 +357,7 @@ addListner(modConfData_t *modConf, insta

 		CHKiRet(tcpsrv.SetKeepAliveIntvl(pOurTcpsrv, modConf->iKeepAliveIntvl));

 		CHKiRet(tcpsrv.SetKeepAliveProbes(pOurTcpsrv, modConf->iKeepAliveProbes));

 		CHKiRet(tcpsrv.SetKeepAliveTime(pOurTcpsrv, modConf->iKeepAliveTime));

+		CHKiRet(tcpsrv.SetGnutlsPriorityString(pOurTcpsrv, modConf->gnutlsPriorityString));

 		CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, modConf->iTCPSessMax));

 		CHKiRet(tcpsrv.SetLstnMax(pOurTcpsrv, modConf->iTCPLstnMax));

 		CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, modConf->iStrmDrvrMode));

@@ -463,6 +467,7 @@ CODESTARTbeginCnfLoad

 	loadModConf->bEmitMsgOnClose = 0;

 	loadModConf->iAddtlFrameDelim = TCPSRV_NO_ADDTL_DELIMITER;

 	loadModConf->bDisableLFDelim = 0;

+	loadModConf->gnutlsPriorityString = NULL;

 	loadModConf->pszStrmDrvrName = NULL;

 	loadModConf->pszStrmDrvrAuthMode = NULL;

 	loadModConf->permittedPeers = NULL;

@@ -517,6 +522,8 @@ CODESTARTsetModCnf

 			loadModConf->iKeepAliveTime = (int) pvals[i].val.d.n;

 		} else if(!strcmp(modpblk.descr[i].name, "keepalive.interval")) {

 			loadModConf->iKeepAliveIntvl = (int) pvals[i].val.d.n;

+		} else if(!strcmp(modpblk.descr[i].name, "gnutlsprioritystring")) {

+			loadModConf->gnutlsPriorityString = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);

 		} else if(!strcmp(modpblk.descr[i].name, "streamdriver.mode")) {

 			loadModConf->iStrmDrvrMode = (int) pvals[i].val.d.n;

 		} else if(!strcmp(modpblk.descr[i].name, "streamdriver.authmode")) {

diff -up rsyslog-8.24.0/runtime/netstrm.c.v36tls rsyslog-8.24.0/runtime/netstrm.c

--- rsyslog-8.24.0/runtime/netstrm.c.v36tls	2017-01-10 09:00:04.000000000 +0000

+++ rsyslog-8.24.0/runtime/netstrm.c	2019-08-19 17:37:07.876166693 +0100

@@ -280,6 +280,16 @@ SetKeepAliveIntvl(netstrm_t *pThis, int

 	RETiRet;

 }

+/* gnutls priority string */

+static rsRetVal

+SetGnutlsPriorityString(netstrm_t *pThis, uchar *gnutlsPriorityString)

+{

+	DEFiRet;

+	ISOBJ_TYPE_assert(pThis, netstrm);

+	iRet = pThis->Drvr.SetGnutlsPriorityString(pThis->pDrvrData, gnutlsPriorityString);

+	RETiRet;

+}

+

 /* check connection - slim wrapper for NSD driver function */

 static rsRetVal

 CheckConnection(netstrm_t *pThis)

@@ -387,6 +397,7 @@ CODESTARTobjQueryInterface(netstrm)

 	pIf->SetKeepAliveProbes = SetKeepAliveProbes;

 	pIf->SetKeepAliveTime = SetKeepAliveTime;

 	pIf->SetKeepAliveIntvl = SetKeepAliveIntvl;

+	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;

 finalize_it:

 ENDobjQueryInterface(netstrm)

diff -up rsyslog-8.24.0/runtime/netstrm.h.v36tls rsyslog-8.24.0/runtime/netstrm.h

--- rsyslog-8.24.0/runtime/netstrm.h.v36tls	2017-01-10 09:00:04.000000000 +0000

+++ rsyslog-8.24.0/runtime/netstrm.h	2019-08-19 17:37:07.876166693 +0100

@@ -75,14 +75,16 @@ BEGINinterface(netstrm) /* name must als

 	rsRetVal (*SetKeepAliveProbes)(netstrm_t *pThis, int keepAliveProbes);

 	rsRetVal (*SetKeepAliveTime)(netstrm_t *pThis, int keepAliveTime);

 	rsRetVal (*SetKeepAliveIntvl)(netstrm_t *pThis, int keepAliveIntvl);

+	rsRetVal (*SetGnutlsPriorityString)(netstrm_t *pThis, uchar *priorityString);

 ENDinterface(netstrm)

-#define netstrmCURR_IF_VERSION 8 /* increment whenever you change the interface structure! */

+#define netstrmCURR_IF_VERSION 9 /* increment whenever you change the interface structure! */

 /* interface version 3 added GetRemAddr()

  * interface version 4 added EnableKeepAlive() -- rgerhards, 2009-06-02

  * interface version 5 changed return of CheckConnection from void to rsRetVal -- alorbach, 2012-09-06

  * interface version 6 changed signature of GetRemoteIP() -- rgerhards, 2013-01-21

  * interface version 7 added KeepAlive parameter set functions

  * interface version 8 changed signature of Connect() -- dsa, 2016-11-14

+ * interface version 9 added SetGnutlsPriorityString -- PascalWithopf, 2017-08-08

  * */

 /* prototypes */

diff -up rsyslog-8.24.0/runtime/netstrms.c.v36tls rsyslog-8.24.0/runtime/netstrms.c

--- rsyslog-8.24.0/runtime/netstrms.c.v36tls	2016-12-03 17:41:03.000000000 +0000

+++ rsyslog-8.24.0/runtime/netstrms.c	2019-08-19 17:37:07.876166693 +0100

@@ -113,6 +113,10 @@ CODESTARTobjDestruct(netstrms)

 		free(pThis->pBaseDrvrName);

 		pThis->pBaseDrvrName = NULL;

 	}

+	if(pThis->gnutlsPriorityString != NULL) {

+		free(pThis->gnutlsPriorityString);

+		pThis->gnutlsPriorityString = NULL;

+	}

 ENDobjDestruct(netstrms)

@@ -196,6 +200,31 @@ GetDrvrAuthMode(netstrms_t *pThis)

 }

+/* Set the priorityString for GnuTLS

+ * PascalWithopf 2017-08-16

+ */

+static rsRetVal

+SetDrvrGnutlsPriorityString(netstrms_t *pThis, uchar *iVal)

+{

+	DEFiRet;

+	ISOBJ_TYPE_assert(pThis, netstrms);

+	CHKmalloc(pThis->gnutlsPriorityString = (uchar*)strdup((char*)iVal));

+finalize_it:

+	RETiRet;

+}

+

+

+/* return the priorityString for GnuTLS

+ * PascalWithopf, 2017-08-16

+ */

+static uchar*

+GetDrvrGnutlsPriorityString(netstrms_t *pThis)

+{

+	ISOBJ_TYPE_assert(pThis, netstrms);

+	return pThis->gnutlsPriorityString;

+}

+

+

 /* set the driver mode -- rgerhards, 2008-04-30 */

 static rsRetVal

 SetDrvrMode(netstrms_t *pThis, int iMode)

@@ -272,6 +301,8 @@ CODESTARTobjQueryInterface(netstrms)

 	pIf->GetDrvrMode = GetDrvrMode;

 	pIf->SetDrvrAuthMode = SetDrvrAuthMode;

 	pIf->GetDrvrAuthMode = GetDrvrAuthMode;

+	pIf->SetDrvrGnutlsPriorityString = SetDrvrGnutlsPriorityString;

+	pIf->GetDrvrGnutlsPriorityString = GetDrvrGnutlsPriorityString;

 	pIf->SetDrvrPermPeers = SetDrvrPermPeers;

 	pIf->GetDrvrPermPeers = GetDrvrPermPeers;

 finalize_it:

diff -up rsyslog-8.24.0/runtime/netstrms.h.v36tls rsyslog-8.24.0/runtime/netstrms.h

--- rsyslog-8.24.0/runtime/netstrms.h.v36tls	2016-12-03 17:41:03.000000000 +0000

+++ rsyslog-8.24.0/runtime/netstrms.h	2019-08-19 17:37:07.876166693 +0100

@@ -33,6 +33,7 @@ struct netstrms_s {

 	uchar *pDrvrName;	/**< full base driver name (set when driver is loaded) */

 	int iDrvrMode;		/**< current default driver mode */

 	uchar *pszDrvrAuthMode;	/**< current driver authentication mode */

+	uchar *gnutlsPriorityString; /**< priorityString for connection */

 	permittedPeers_t *pPermPeers;/**< current driver's permitted peers */

 	nsd_if_t Drvr;		/**< our stream driver */

@@ -52,6 +53,8 @@ BEGINinterface(netstrms) /* name must al

 	int      (*GetDrvrMode)(netstrms_t *pThis);

 	uchar*   (*GetDrvrAuthMode)(netstrms_t *pThis);

 	permittedPeers_t* (*GetDrvrPermPeers)(netstrms_t *pThis);

+	rsRetVal (*SetDrvrGnutlsPriorityString)(netstrms_t *pThis, uchar*);

+	uchar*   (*GetDrvrGnutlsPriorityString)(netstrms_t *pThis);

 ENDinterface(netstrms)

 #define netstrmsCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */

diff -up rsyslog-8.24.0/runtime/nsd_gtls.c.v36tls rsyslog-8.24.0/runtime/nsd_gtls.c

--- rsyslog-8.24.0/runtime/nsd_gtls.c.v36tls	2017-01-10 09:00:04.000000000 +0000

+++ rsyslog-8.24.0/runtime/nsd_gtls.c	2019-08-19 17:39:30.576158227 +0100

@@ -73,8 +73,20 @@ DEFobjCurrIf(nsd_ptcp)

 static int bGlblSrvrInitDone = 0;	/**< 0 - server global init not yet done, 1 - already done */

-static pthread_mutex_t mutGtlsStrerror; /**< a mutex protecting the potentially non-reentrant gtlStrerror() function */

+static pthread_mutex_t mutGtlsStrerror;

+/*< a mutex protecting the potentially non-reentrant gtlStrerror() function */

+/* a macro to abort if GnuTLS error is not acceptable. We split this off from

+ * CHKgnutls() to avoid some Coverity report in cases where we know GnuTLS

+ * failed. Note: gnuRet must already be set accordingly!

+ */

+#define ABORTgnutls { \

+		uchar *pErr = gtlsStrerror(gnuRet); \

+		LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d in %s:%d: %s\n", \

+	gnuRet, __FILE__, __LINE__, pErr); \

+		free(pErr); \

+		ABORT_FINALIZE(RS_RET_GNUTLS_ERR); \

+}

 /* a macro to check GnuTLS calls against unexpected errors */

 #define CHKgnutls(x) { \

 	gnuRet = (x); \

@@ -82,10 +94,7 @@ static pthread_mutex_t mutGtlsStrerror;

 		errmsg.LogError(0, RS_RET_GNUTLS_ERR, "error reading file - a common cause is that the file  does not exist"); \

 		ABORT_FINALIZE(RS_RET_GNUTLS_ERR); \

 	} else if(gnuRet != 0) { \

-		uchar *pErr = gtlsStrerror(gnuRet); \

-		errmsg.LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d in %s:%d: %s\n", gnuRet, __FILE__, __LINE__, pErr); \

-		free(pErr); \

-		ABORT_FINALIZE(RS_RET_GNUTLS_ERR); \

+		ABORTgnutls; \

 	} \

 }

@@ -192,9 +201,13 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)

 	/* try load certificate */

 	CHKiRet(readFile(certFile, &data));

-	CHKgnutls(gnutls_x509_crt_init(&pThis->ourCert));

	pThis->bOurCertIsInit = 1;

-	CHKgnutls(gnutls_x509_crt_import(pThis->ourCert, &data, GNUTLS_X509_FMT_PEM));

+	pThis->nOurCerts = sizeof(pThis->pOurCerts) / sizeof(gnutls_x509_crt_t);

+	gnuRet = gnutls_x509_crt_list_import(pThis->pOurCerts, &pThis->nOurCerts,

+		&data, GNUTLS_X509_FMT_PEM,  GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);

+	if(gnuRet < 0) {

+		ABORTgnutls;

+	}

 	free(data.data);

 	data.data = NULL;

@@ -210,7 +222,9 @@ finalize_it:

 		if(data.data != NULL)

 			free(data.data);

 		if(pThis->bOurCertIsInit) {

-			gnutls_x509_crt_deinit(pThis->ourCert);

+			for(unsigned i=0; i<pThis->nOurCerts; ++i) {

+				gnutls_x509_crt_deinit(pThis->pOurCerts[i]);

+			}

 			pThis->bOurCertIsInit = 0;

 		}

 		if(pThis->bOurKeyIsInit) {

@@ -255,8 +269,8 @@ gtlsClientCertCallback(gnutls_session_t

 #else

 	st->type = GNUTLS_CRT_X509;

 #endif

-	st->ncerts = 1;

-	st->cert.x509 = &pThis->ourCert;

+	st->ncerts = pThis->nOurCerts;

+	st->cert.x509 = pThis->pOurCerts;

 	st->key.x509 = pThis->ourKey;

 	st->deinit_all = 0;

@@ -532,8 +546,8 @@ gtlsRecordRecv(nsd_gtls_t *pThis)

 		dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n");

 		ABORT_FINALIZE(RS_RET_RETRY);

 	} else {

-		int gnuRet; /* TODO: build a specific function for GnuTLS error reporting */

-		CHKgnutls(lenRcvd); /* this will abort the function */

+		int gnuRet = lenRcvd;

+		ABORTgnutls;

 	}

 finalize_it:

@@ -646,7 +660,7 @@ gtlsInitSession(nsd_gtls_t *pThis)

 	pThis->bIsInitiator = 0;

 	/* avoid calling all the priority functions, since the defaults are adequate. */

-	CHKgnutls(gnutls_set_default_priority(session));

+

 	CHKgnutls(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred));

 	/* request client certificate if any.  */

@@ -1204,7 +1218,9 @@ CODESTARTobjDestruct(nsd_gtls)

 	}

 	if(pThis->bOurCertIsInit)

-		gnutls_x509_crt_deinit(pThis->ourCert);

+                for(unsigned i=0; i<pThis->nOurCerts; ++i) {

+			gnutls_x509_crt_deinit(pThis->pOurCerts[i]);

+                }

 	if(pThis->bOurKeyIsInit)

 		gnutls_x509_privkey_deinit(pThis->ourKey);

 	if(pThis->bHaveSess)

@@ -1299,6 +1315,21 @@ finalize_it:

 }

+/* gnutls priority string

+ * PascalWithopf 2017-08-16

+ */

+static rsRetVal

+SetGnutlsPriorityString(nsd_t *pNsd, uchar *gnutlsPriorityString)

+{

+	DEFiRet;

+	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;

+

+	ISOBJ_TYPE_assert((pThis), nsd_gtls);

+	pThis->gnutlsPriorityString = gnutlsPriorityString;

+	RETiRet;

+}

+

+

 /* Provide access to the underlying OS socket. This is primarily

  * useful for other drivers (like nsd_gtls) who utilize ourselfs

  * for some of their functionality. -- rgerhards, 2008-04-18

@@ -1476,6 +1507,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew

 	int gnuRet;

 	nsd_gtls_t *pNew = NULL;

 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;

+	const char *error_position;

 	ISOBJ_TYPE_assert((pThis), nsd_gtls);

 	CHKiRet(nsd_gtlsConstruct(&pNew)); // TODO: prevent construct/destruct!

@@ -1493,6 +1525,19 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew

 	gtlsSetTransportPtr(pNew, ((nsd_ptcp_t*) (pNew->pTcp))->sock);

 	pNew->authMode = pThis->authMode;

 	pNew->pPermPeers = pThis->pPermPeers;

+	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;

+	/* here is the priorityString set */

+	if(pNew->gnutlsPriorityString != NULL) {

+		if(gnutls_priority_set_direct(pNew->sess,

+					(const char*) pNew->gnutlsPriorityString,

+					&error_position)==GNUTLS_E_INVALID_REQUEST) {

+			LogError(0, RS_RET_GNUTLS_ERR, "Syntax Error in"

+					" Priority String: \"%s\"\n", error_position);

+		}

+	} else {

+		/* Use default priorities */

+		CHKgnutls(gnutls_set_default_priority(pNew->sess));

+	}

 	/* we now do the handshake. This is a bit complicated, because we are 

 	 * on non-blocking sockets. Usually, the handshake will not complete

@@ -1673,6 +1718,31 @@ EnableKeepAlive(nsd_t *pNsd)

 	return nsd_ptcp.EnableKeepAlive(pThis->pTcp);

 }

+/*

+ * SNI should not be used if the hostname is a bare IP address

+ */

+static int

+SetServerNameIfPresent(nsd_gtls_t *pThis, uchar *host) {

+	struct sockaddr_in sa;

+	struct sockaddr_in6 sa6;

+

+	int inet_pton_ret = inet_pton(AF_INET, CHAR_CONVERT(host), &(sa.sin_addr));

+

+	if (inet_pton_ret == 0) { // host wasn't a bare IPv4 address: try IPv6

+		inet_pton_ret = inet_pton(AF_INET6, CHAR_CONVERT(host), &(sa6.sin6_addr));

+	}

+

+	switch(inet_pton_ret) {

+		case 1: // host is a valid IP address: don't use SNI

+			return 0;

+		case 0: // host isn't a valid IP address: assume it's a domain name, use SNI

+			return gnutls_server_name_set(pThis->sess, GNUTLS_NAME_DNS, host, ustrlen(host));

+		default: // unexpected error

+			return -1;

+	}

+

+}

+

 /* open a connection to a remote host (server). With GnuTLS, we always

  * open a plain tcp socket and then, if in TLS mode, do a handshake on it.

  * rgerhards, 2008-03-19

@@ -1685,6 +1755,7 @@ Connect(nsd_t *pNsd, int family, uchar *

 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;

 	int sock;

 	int gnuRet;

+	const char *error_position;

 #	ifdef HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY

 	static const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 };

 #	endif

@@ -1704,6 +1775,8 @@ Connect(nsd_t *pNsd, int family, uchar *

 	pThis->bHaveSess = 1;

 	pThis->bIsInitiator = 1;

+	CHKgnutls(SetServerNameIfPresent(pThis, host));

+

 	/* in the client case, we need to set a callback that ensures our certificate

 	 * will be presented to the server even if it is not signed by one of the server's

 	 * trusted roots. This is necessary to support fingerprint authentication.

@@ -1721,8 +1794,19 @@ Connect(nsd_t *pNsd, int family, uchar *

 		FINALIZE; /* we have an error case! */

 	}

-	/* Use default priorities */

-	CHKgnutls(gnutls_set_default_priority(pThis->sess));

+	/*priority string setzen*/

+	if(pThis->gnutlsPriorityString != NULL) {

+		if(gnutls_priority_set_direct(pThis->sess,

+					(const char*) pThis->gnutlsPriorityString,

+					&error_position)==GNUTLS_E_INVALID_REQUEST) {

+			LogError(0, RS_RET_GNUTLS_ERR, "Syntax Error in"

+					" Priority String: \"%s\"\n", error_position);

+		}

+	} else {

+		/* Use default priorities */

+		CHKgnutls(gnutls_set_default_priority(pThis->sess));

+	}

+

 #	ifdef HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY

 	/* The gnutls_certificate_type_set_priority function is deprecated

 	 * and not available in recent GnuTLS versions. However, there is no

@@ -1806,6 +1890,7 @@ CODESTARTobjQueryInterface(nsd_gtls)

 	pIf->SetKeepAliveIntvl = SetKeepAliveIntvl;

 	pIf->SetKeepAliveProbes = SetKeepAliveProbes;

 	pIf->SetKeepAliveTime = SetKeepAliveTime;

+	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;

 finalize_it:

 ENDobjQueryInterface(nsd_gtls)

diff -up rsyslog-8.24.0/runtime/nsd_gtls.h.v36tls rsyslog-8.24.0/runtime/nsd_gtls.h

--- rsyslog-8.24.0/runtime/nsd_gtls.h.v36tls	2016-12-03 17:41:03.000000000 +0000

+++ rsyslog-8.24.0/runtime/nsd_gtls.h	2019-08-19 17:37:07.878166693 +0100

@@ -25,6 +25,7 @@

 #include "nsd.h"

 #define NSD_GTLS_MAX_RCVBUF 8 * 1024 /* max size of buffer for message reception */

+#define NSD_GTLS_MAX_CERT 10 /* max number of certs in our chain */

 typedef enum {

 	gtlsRtry_None = 0,	/**< no call needs to be retried */

@@ -56,7 +57,10 @@ struct nsd_gtls_s {

 				 * set to 1 and changed to 0 after the first report. It is changed back to 1 after

 				 * one successful authentication. */

 	permittedPeers_t *pPermPeers; /* permitted peers */

-	gnutls_x509_crt_t ourCert;	/**< our certificate, if in client mode (unused in server mode) */

+	uchar *gnutlsPriorityString;	/* gnutls priority string */

+	gnutls_x509_crt_t pOurCerts[NSD_GTLS_MAX_CERT];	/**< our certificate, if in client mode

+							(unused in server mode) */

+	unsigned int nOurCerts;  /* number of certificates in our chain */

 	gnutls_x509_privkey_t ourKey;	/**< our private key, if in client mode (unused in server mode) */

 	short	bOurCertIsInit;	/**< 1 if our certificate is initialized and must be deinit on destruction */

 	short	bOurKeyIsInit;	/**< 1 if our private key is initialized and must be deinit on destruction */

diff -up rsyslog-8.24.0/runtime/nsd.h.v36tls rsyslog-8.24.0/runtime/nsd.h

--- rsyslog-8.24.0/runtime/nsd.h.v36tls	2017-01-10 09:00:04.000000000 +0000

+++ rsyslog-8.24.0/runtime/nsd.h	2019-08-19 17:37:07.878166693 +0100

@@ -83,14 +83,17 @@ BEGINinterface(nsd) /* name must also be

 	rsRetVal (*SetKeepAliveIntvl)(nsd_t *pThis, int keepAliveIntvl);

 	rsRetVal (*SetKeepAliveProbes)(nsd_t *pThis, int keepAliveProbes);

 	rsRetVal (*SetKeepAliveTime)(nsd_t *pThis, int keepAliveTime);

+	/* v10 */

+	rsRetVal (*SetGnutlsPriorityString)(nsd_t *pThis, uchar *gnutlsPriorityString);

 ENDinterface(nsd)

-#define nsdCURR_IF_VERSION 9 /* increment whenever you change the interface structure! */

+#define nsdCURR_IF_VERSION 10 /* increment whenever you change the interface structure! */

 /* interface version 4 added GetRemAddr()

  * interface version 5 added EnableKeepAlive() -- rgerhards, 2009-06-02

  * interface version 6 changed return of CheckConnection from void to rsRetVal -- alorbach, 2012-09-06

  * interface version 7 changed signature ofGetRempoteIP() -- rgerhards, 2013-01-21

  * interface version 8 added keep alive parameter set functions

  * interface version 9 changed signature of Connect() -- dsa, 2016-11-14

+ * interface version 10 added SetGnutlsPriorityString() -- PascalWithopf, 2017-08-08

  */

 /* interface  for the select call */

diff -up rsyslog-8.24.0/runtime/nsd_ptcp.c.v36tls rsyslog-8.24.0/runtime/nsd_ptcp.c

--- rsyslog-8.24.0/runtime/nsd_ptcp.c.v36tls	2017-01-10 09:00:04.000000000 +0000

+++ rsyslog-8.24.0/runtime/nsd_ptcp.c	2019-08-19 17:37:07.879166693 +0100

@@ -176,6 +176,23 @@ finalize_it:

 }

+/* Set priorityString

+ * PascalWithopf 2017-08-18 */

+static rsRetVal

+SetGnutlsPriorityString(nsd_t __attribute__((unused)) *pNsd, uchar *iVal)

+{

+	DEFiRet;

+	if(iVal != NULL) {

+		LogError(0, RS_RET_VALUE_NOT_SUPPORTED, "error: "

+		"gnutlsPriorityString '%s' not supported by ptcp netstream "

+		"driver", iVal);

+		ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);

+	}

+finalize_it:

+	RETiRet;

+}

+

+

 /* Set the permitted peers. This is a dummy, always returning an

  * error because we do not support fingerprint authentication.

  * rgerhards, 2008-05-17

@@ -535,6 +552,7 @@ LstnInit(netstrms_t *pNS, void *pUsr, rs

 		CHKiRet(pNS->Drvr.SetMode(pNewNsd, netstrms.GetDrvrMode(pNS)));

 		CHKiRet(pNS->Drvr.SetAuthMode(pNewNsd, netstrms.GetDrvrAuthMode(pNS)));

 		CHKiRet(pNS->Drvr.SetPermPeers(pNewNsd, netstrms.GetDrvrPermPeers(pNS)));

+		CHKiRet(pNS->Drvr.SetGnutlsPriorityString(pNewNsd, netstrms.GetDrvrGnutlsPriorityString(pNS)));

 		CHKiRet(netstrms.CreateStrm(pNS, &pNewStrm));

 		pNewStrm->pDrvrData = (nsd_t*) pNewNsd;

 		pNewNsd = NULL;

@@ -854,6 +872,7 @@ CODESTARTobjQueryInterface(nsd_ptcp)

 	pIf->SetSock = SetSock;

 	pIf->SetMode = SetMode;

 	pIf->SetAuthMode = SetAuthMode;

+	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;

 	pIf->SetPermPeers = SetPermPeers;

 	pIf->Rcv = Rcv;

 	pIf->Send = Send;

diff -up rsyslog-8.24.0/runtime/tcpsrv.c.v36tls rsyslog-8.24.0/runtime/tcpsrv.c

--- rsyslog-8.24.0/runtime/tcpsrv.c.v36tls	2019-08-19 17:37:07.874166693 +0100

+++ rsyslog-8.24.0/runtime/tcpsrv.c	2019-08-19 17:37:07.880166693 +0100

@@ -470,6 +470,9 @@ SessAccept(tcpsrv_t *pThis, tcpLstnPortL

 	}

 	/* we found a free spot and can construct our session object */

+	if(pThis->gnutlsPriorityString != NULL) {

+		CHKiRet(netstrm.SetGnutlsPriorityString(pNewStrm, pThis->gnutlsPriorityString));

+	}

 	CHKiRet(tcps_sess.Construct(&pSess));

 	CHKiRet(tcps_sess.SetTcpsrv(pSess, pThis));

 	CHKiRet(tcps_sess.SetLstnInfo(pSess, pLstnInfo));

@@ -1001,6 +1004,8 @@ tcpsrvConstructFinalize(tcpsrv_t *pThis)

 		CHKiRet(netstrms.SetDrvrAuthMode(pThis->pNS, pThis->pszDrvrAuthMode));

 	if(pThis->pPermPeers != NULL)

 		CHKiRet(netstrms.SetDrvrPermPeers(pThis->pNS, pThis->pPermPeers));

+	if(pThis->gnutlsPriorityString != NULL)

+		CHKiRet(netstrms.SetDrvrGnutlsPriorityString(pThis->pNS, pThis->gnutlsPriorityString));

 	CHKiRet(netstrms.ConstructFinalize(pThis->pNS));

 	/* set up listeners */

@@ -1173,6 +1178,16 @@ SetKeepAliveTime(tcpsrv_t *pThis, int iV

 }

 static rsRetVal

+SetGnutlsPriorityString(tcpsrv_t *pThis, uchar *iVal)

+{

+	DEFiRet;

+	DBGPRINTF("tcpsrv: gnutlsPriorityString set to %s\n",

+		(iVal == NULL) ? "(null)" : (const char*) iVal);

+	pThis->gnutlsPriorityString = iVal;

+	RETiRet;

+}

+

+static rsRetVal

 SetOnMsgReceive(tcpsrv_t *pThis, rsRetVal (*OnMsgReceive)(tcps_sess_t*, uchar*, int))

 {

 	DEFiRet;

@@ -1414,6 +1429,7 @@ CODESTARTobjQueryInterface(tcpsrv)

 	pIf->SetKeepAliveIntvl = SetKeepAliveIntvl;

 	pIf->SetKeepAliveProbes = SetKeepAliveProbes;

 	pIf->SetKeepAliveTime = SetKeepAliveTime;

+	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;

 	pIf->SetUsrP = SetUsrP;

 	pIf->SetInputName = SetInputName;

 	pIf->SetOrigin = SetOrigin;

diff -up rsyslog-8.24.0/runtime/tcpsrv.h.v36tls rsyslog-8.24.0/runtime/tcpsrv.h

--- rsyslog-8.24.0/runtime/tcpsrv.h.v36tls	2019-08-19 17:37:07.874166693 +0100

+++ rsyslog-8.24.0/runtime/tcpsrv.h	2019-08-19 17:37:07.880166693 +0100

@@ -61,6 +61,7 @@ struct tcpsrv_s {

 	int iKeepAliveTime;	/**< socket layer KEEPALIVE timeout */

 	netstrms_t *pNS;	/**< pointer to network stream subsystem */

 	int iDrvrMode;		/**< mode of the stream driver to use */

+	uchar *gnutlsPriorityString;	/**< priority string for gnutls */

 	uchar *pszDrvrAuthMode;	/**< auth mode of the stream driver to use */

 	uchar *pszDrvrName;	/**< name of stream driver to use */

 	uchar *pszInputName;	/**< value to be used as input name */

@@ -169,6 +170,8 @@ BEGINinterface(tcpsrv) /* name must also

 	rsRetVal (*SetKeepAliveTime)(tcpsrv_t*, int);

 	/* added v18 */

 	rsRetVal (*SetbSPFramingFix)(tcpsrv_t*, sbool);

+	/* added v19 -- PascalWithopf, 2017-08-08 */

+	rsRetVal (*SetGnutlsPriorityString)(tcpsrv_t*, uchar*);

 	/* added v21 -- Preserve case in fromhost, 2018-08-16 */

 	rsRetVal (*SetPreserveCase)(tcpsrv_t *pThis, int bPreserveCase);

 ENDinterface(tcpsrv)

diff -up rsyslog-8.24.0/tools/omfwd.c.v36tls rsyslog-8.24.0/tools/omfwd.c

--- rsyslog-8.24.0/tools/omfwd.c.v36tls	2019-08-19 17:37:07.848166695 +0100

+++ rsyslog-8.24.0/tools/omfwd.c	2019-08-19 17:37:07.881166693 +0100

@@ -91,6 +91,7 @@ typedef struct _instanceData {

 	int iKeepAliveIntvl;

 	int iKeepAliveProbes;

 	int iKeepAliveTime;

+	uchar *gnutlsPriorityString;

 #	define	FORW_UDP 0

 #	define	FORW_TCP 1

@@ -138,6 +139,7 @@ typedef struct configSettings_s {

 	int iKeepAliveIntvl;

 	int iKeepAliveProbes;

 	int iKeepAliveTime;

+	uchar *gnutlsPriorityString;

 	permittedPeers_t *pPermPeers;

 } configSettings_t;

 static configSettings_t cs;

@@ -169,6 +171,7 @@ static struct cnfparamdescr actpdescr[]

 	{ "keepalive.probes", eCmdHdlrPositiveInt, 0 },

 	{ "keepalive.time", eCmdHdlrPositiveInt, 0 },

 	{ "keepalive.interval", eCmdHdlrPositiveInt, 0 },

+	{ "gnutlsprioritystring", eCmdHdlrString, 0 },

 	{ "streamdriver", eCmdHdlrGetWord, 0 },

 	{ "streamdrivermode", eCmdHdlrInt, 0 },

 	{ "streamdriverauthmode", eCmdHdlrGetWord, 0 },

@@ -717,6 +720,9 @@ static rsRetVal TCPSendInit(void *pvData

 			CHKiRet(netstrm.SetDrvrPermPeers(pWrkrData->pNetstrm, pData->pPermPeers));

 		}

 		/* params set, now connect */

+		if(pData->gnutlsPriorityString != NULL) {

+			CHKiRet(netstrm.SetGnutlsPriorityString(pWrkrData->pNetstrm, pData->gnutlsPriorityString));

+		}

 		CHKiRet(netstrm.Connect(pWrkrData->pNetstrm, glbl.GetDefPFFamily(),

 			(uchar*)pData->port, (uchar*)pData->target, pData->device));

@@ -960,6 +966,7 @@ setInstParamDefaults(instanceData *pData

 	pData->iKeepAliveProbes = 0;

 	pData->iKeepAliveIntvl = 0;

 	pData->iKeepAliveTime = 0;

+	pData->gnutlsPriorityString = NULL;

 	pData->bResendLastOnRecon = 0; 

 	pData->bSendToAll = -1;  /* unspecified */

 	pData->iUDPSendDelay = 0;

@@ -1046,6 +1053,8 @@ CODESTARTnewActInst

 			pData->iKeepAliveIntvl = (int) pvals[i].val.d.n;

 		} else if(!strcmp(actpblk.descr[i].name, "keepalive.time")) {

 			pData->iKeepAliveTime = (int) pvals[i].val.d.n;

+		} else if(!strcmp(actpblk.descr[i].name, "gnutlsprioritystring")) {

+			pData->gnutlsPriorityString = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);

 		} else if(!strcmp(actpblk.descr[i].name, "streamdriver")) {

 			pData->pszStrmDrvr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);

 		} else if(!strcmp(actpblk.descr[i].name, "streamdrivermode")) {